Firms must report ransomware amounts to NYS DFS just as cyberattacks are on the rise.
Grygo is the chief content officer for FTF & FTF News.
The state of New York has amended its “first-in-the-nation” cybersecurity regulations and will be requiring financial services firms to report ransomware amounts just as cyberattacks are increasing, according to the regulator New York State Department of Financial Services (NYS DFS) and New York Governor Kathy Hochul.
In addition to the ransomware reporting, the updated regulations require financial services firms to “institute stronger standards and controls to secure sensitive data,” officials say.
The ransomware reporting requirement comes under the “Notice and explanation of extortion payment” section of the amendments.
“Each covered entity, in the event of an extortion payment made in connection with a cybersecurity event involving the covered entity, shall provide the superintendent electronically, in the form set forth on the department’s website, with the following:
- within 24 hours of the extortion payment, notice of the payment; and
- within 30 days of the extortion payment, a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control [OFAC],” according to the new amendments.
The regulator also wants expanded use of multifactor authentication and the continued usage of risk-based cybersecurity regulations, says Adrienne A. Harris, superintendent of NYS DFS, in a prepared statement.
In fact, Harris says, the additional regulation “continues the Department’s transformative, data-driven approach to cybersecurity oversight … Cyberattacks are on the rise, and the updates require the financial services industry to institute stronger standards and controls to secure sensitive data.”
Hochul chimes in with: “My administration is doubling down on our commitment to ensuring that financial institutions have the safeguards in place to protect vital customer data and maintain the integrity of our financial system.”
The key changes in the cybersecurity regulation are:
- Enhanced governance requirements;
- More controls to “prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;”
- Requirements for “more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;”
- “Updated notification requirements including a new requirement to report ransomware payments;” and
- “Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.”
In keeping with its data-driven approach, NYS DFS officials “conducted significant outreach through cyber symposiums and conferences and dialogue with state, federal and international regulators, industry, and other experts in the field of cybersecurity,” according to the announcement.
“The adopted amendment holds DFS-regulated businesses and licensed entities accountable for implementing cybersecurity protections, and ensuring they maintain cyber defenses appropriate to their size, nature of business, and the type of data maintained, among other relevant considerations while continuing to foster growth of New York’s financial services industry,” regulator officials add.
To help spread the word about the changes, NYS DFS officials will host a series of webinars that offer an overview of the amended cybersecurity regulations. Registration details for these training events and compliance timeline are available on the DFS website.
The full list of amendments can be found here: https://on.ny.gov/3QV6aSZ
Need a Reprint?